Overview

overview

10

Static

static

10

eff5fad47b...76.exe

windows7-x64

10

eff5fad47b...76.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe

  • Size

    431KB

  • MD5

    4962575a2378d5c72e7a836ea766e2ad

  • SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

  • SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

  • SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

  • SSDEEP

    12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

Score
8/10
credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
    "C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3892
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:3672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3396
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1960
  • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    1⤵
    • Executes dropped EXE
    PID:1524
  • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    1⤵
    • Executes dropped EXE
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    fe3aab3ae544a134b68e881b82b70169

    SHA1

    926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

    SHA256

    bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

    SHA512

    3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    fd252dc779057e73982ed35b2bd253da

    SHA1

    6c3bf7b1dedf640fc90de7bdf3b456d1ffdb1e8c

    SHA256

    372e07ccd9023096ccdff5c060084973b7c21f41179ec95cef0514854fbf05bd

    SHA512

    e2cdd4c229e3a543409db13bb0b40b0e00f642edb2ad50a9108662937ea190ce1212c165dfafdbd0ad2a58b83836afc8e289bd52f3381deffb66caa3b38c68f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip
    Filesize

    39KB

    MD5

    7ad420c8f103efdd4b8656377b08beb1

    SHA1

    bdf57352c516c152065ded19410d0b8caacdf457

    SHA256

    064482a17e8b5a17f6aad3d48dddc27ec48094e08f22c113aa0d65ba1d6e36a3

    SHA512

    3339c65e35c5b3c51d367958b0a38be63b610254c1688f54a2469fa6826aae4dcc8fef995da29cee0eb8a1ae05fac01e4ab9501c2bfc9c94e44755f76cd4041b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\AssertResize.docx
    Filesize

    14KB

    MD5

    c30d2e4ac6391f51370ab3933461b2bc

    SHA1

    859033627e1da14585f97d43dcee904e2e8c8cba

    SHA256

    06f05b363f73d669b029ce6f129849c1fa0df57fe161b86b7e8da1b86040e937

    SHA512

    22f078ca4cef890ba8eede25a81d3e602d86a85aca7bdda9453f9dd34e0025c24be7930300ffe37e13dfd7943d47839663757c366fd9ae237e4d958abe754d30

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ConvertUse.docx
    Filesize

    17KB

    MD5

    19e925f2819c4452be3c56750deda4fa

    SHA1

    948e65091ea825d896f616fc95880beb908c0cf2

    SHA256

    ae57c387e26d88ba9d6dfe6e359ed913116f45f4c5613cf1b2f46dfba9b9acaf

    SHA512

    e3bde690deb60f808bddd222a76d17069cf9f9774da333478e4925b1bba7ebd06c4f37ac09976ae5d89770298522ae072960ab1736cfbc7fba6c1fec42c2c7f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\GetPing.docx
    Filesize

    15KB

    MD5

    748c9ca544fe36d548d9876eefcd1ee8

    SHA1

    435b95fae6ae7060baffd7411332b031b4781288

    SHA256

    dde59e35bfde917478e3c1838b43b9f0de750ac4f9d3269a5b917bd6006e5389

    SHA512

    693f153e71b135ebfcf0e605addb0b918031c464a5cfc2261b14c1233b1cab490b3e79a4c0a5e3267c2fd962d19afdda93f70d9915ef343c4f20b40626214da0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0cdslth5.q1z.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    Filesize

    431KB

    MD5

    4962575a2378d5c72e7a836ea766e2ad

    SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

    SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

    SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

    Download Submit

  • C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll
    Filesize

    124KB

    MD5

    c2f3fbbbe6d5f48a71b6b168b1485866

    SHA1

    1cd56cfc2dc07880b65bd8a1f5b7147633f5d553

    SHA256

    c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839

    SHA512

    e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll
    Filesize

    1.2MB

    MD5

    c6aabb27450f1a9939a417e86bf53217

    SHA1

    b8ef3bb7575139fd6997379415d7119e452b5fc4

    SHA256

    b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35

    SHA512

    e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

    Download Submit

  • memory/1412-33-0x000002291CAB0000-0x000002291CAC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1412-34-0x000002291CA90000-0x000002291CA9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1412-23-0x000002291C720000-0x000002291C742000-memory.dmp

    Filesize

    136KB

    Download